Do NOT open a public issue for security vulnerabilities.

Email: security@agentskills.co.il

• Acknowledgment: Within 24 hours
• Initial assessment: Within 72 hours
• Resolution target: Based on severity

• Description of the vulnerability
• Steps to reproduce
• Which skill(s) are affected
• Potential impact

Every skill submission goes through automated security scanning:

1. SKILL.md Validation - Checks for hardcoded secrets (API keys, tokens, passwords)
2. Snyk Agent Scan (mcp-scan) - Detects prompt injection, data exfiltration, credential theft, obfuscated payloads using LLM-based intent analysis
3. Dependency Scan - If the skill includes package.json or requirements.txt, dependencies are scanned with --severity-threshold=high

This policy covers all repositories under the skills-il GitHub organization.

We follow responsible disclosure practices. We will:

• Confirm receipt of your report
• Keep you informed of progress
• Credit you in the fix (unless you prefer anonymity)
• Not take legal action against good-faith researchers